Microsoft revamps security hole approach
It plans to offer quick responses to unpatched flaws that are publicized
News Story by Matthew Broersma

MAY 06, 2005 (TECHWORLD.COM) - Microsoft Corp. has a new security service that will provide an immediate response when researchers publicize unpatched vulnerabilities. The pilot program run by the Microsoft Security Response Center (MSRC) and called simply Microsoft Security Advisories, complements the monthly scheduled Security Bulletins ordinarily accompanied by patches. Unlike the bulletins, though, advisories won't have to meet any fixed schedule, being issued as soon as possible after a vulnerability is disclosed.

The advisories will be used to address various issues arising between the monthly bulletins, including vulnerability disclosures and phishing scams. The advisories "will address security changes that may not require a security bulletin but that may still impact customers' overall security," said Nick McGrath, Microsoft's head of platform strategy. "Customers have told us that they want more prescriptive and timely guidance on security issues."

In the past, Microsoft has limited its detailed comments to the monthly bulletins, responding to other issues with short statements. A noticeable shift came last month when MSRC program manager Stephen Toulouse used the MSRC blog to discuss a flaw that had been disclosed in Windows 2000 systems. Typically, Microsoft uses such discussions to downplay the severity of unpatched flaws.

The advisory system is the latest development in an ongoing debate over how software vendors and security researchers should balance the need for users to be aware of vulnerabilities with the need for discretion. Microsoft has criticized security researchers for discussing flaws before a patch has been released. For their part, many researchers have said they disclose vulnerability information only if they are unable to convince Microsoft to take action.